US7864954B2 - Method and system for encryption and authentication - Google Patents

Method and system for encryption and authentication Download PDF

Info

Publication number
US7864954B2
US7864954B2 US10/239,581 US23958103A US7864954B2 US 7864954 B2 US7864954 B2 US 7864954B2 US 23958103 A US23958103 A US 23958103A US 7864954 B2 US7864954 B2 US 7864954B2
Authority
US
United States
Prior art keywords
key
units
generating
unit
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US10/239,581
Other versions
US20030156721A1 (en
Inventor
Mathias Widman
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Impsys AB
Original Assignee
Impsys AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=20278997&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=US7864954(B2) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Impsys AB filed Critical Impsys AB
Assigned to IMPSYS AB reassignment IMPSYS AB ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: WIDMAN, MATHIAS
Publication of US20030156721A1 publication Critical patent/US20030156721A1/en
Application granted granted Critical
Publication of US7864954B2 publication Critical patent/US7864954B2/en
Adjusted expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/081Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying self-generating credentials, e.g. instead of receiving credentials from an authority or from another peer, the credentials are generated at the entity itself

Definitions

  • the present invention relates to a method and a system for secure encrypted transmission or authentication between at least two units via an insecure communication channel.
  • Similar problems are encountered in order to provide secure verification of units, so called authentication, via insecure communication channels.
  • authentication is based on transmission between the units of data that are based on a unique key.
  • the key may be used to encrypt a check sum based on a transmitted or received message. Also in this case one is confronted with the same problems as those found in other encrypted transmission in the case of transmission of keys between the units.
  • one object of the present invention is to provide a method and a system of encrypted transmission and authentication via an insecure communication channel that completely or at least partly solve the above stated problems found in the prior-art technology.
  • FIG. 1 is a schematic view of a key-generating unit in accordance with one embodiment of the invention.
  • FIG. 2 is a flow chart for performing encrypted transmission or authentication in accordance with one embodiment of the invention.
  • the invention relates to a system for secure encrypted transmission/authentication between at least two units via an insecure communication channel.
  • the communication channel could be any channel via which data may be transmitted, and more specifically, the channel could be stationary as well as wireless.
  • Each such unit comprises a key-generating unit 1 , as shown in FIG. 1 .
  • This kind of key-generating units comprise a memory 10 , wherein identical original values U, so called seeds, have been stored, preferably in a dynamic and/inter-/exchangeable manner.
  • the storage of original values preferably is effected in connection with the introductory initiation of the units, and advantageously it could be effected via a secure channel.
  • the original values need not, however, be transmitted physically but instead the users of the units concerned may themselves input an agreed-upon value.
  • the original values may be exchanged, when needed, but alternatively the same original values are used for the duration of the entire life of the key-generating unit. In this case the original values need not be stored in dynamic memories, but instead permanent memories may be
  • the key-generating units comprise a counter to periodically change a counting value R, and a calculating unit adapted to generate, in each and every unit and independently of other units, a key based on the original value, and a counting value issued by the counter.
  • the counter and the calculating unit may be integrated in the same unit 11 , which advantageously may be a micro-processor, such as a commercially available CPU.
  • the counter may advantageously be controlled by an oscillator or a clock, which could likewise be integrated in unit 11 .
  • a real-time-based clock which is integrated with the CPU 11 , is used.
  • the counter is increased stepwise by integers, whereby it becomes easier to keep the units in phase with one another (synchronised).
  • identical keys may be generated in several key-generating units, independently of one other. These keys may then be used for encrypting or authenticating purposes between the units.
  • the key-generating units preferably are adapted to sense whether they are synchronised or not, and in case they are not, to implement this synchronisation. Sensing may be performed by means of a particular synchronising test that is performed prior to the generation of keys. Alternatively, a need for synchronisation may, however, be identified when different keys are used, and only thereafter may synchronisation resetting be effected. Synchronisation may be effected for example by exchange of counting values between the units.
  • This calculating algorithm preferably is implemented in hardware in the calculating unit, or alternatively it is stored in a non-dynamic and unchangeable memory.
  • the calculating algorithm preferably generates a 128-bit key, but keys of other lengths are of course also conceivable. Every time an order is given to the key generator to produce a new key therefore a new pseudo-random 128-bit word is generated, which is calculated on the basis of the “seed” and the counting value.
  • the key-generating unit 1 further comprises an interface part 12 serving to enable communication between the communicating unit and the key-generating unit.
  • this communication comprises emission of instructions to the key-generating unit to generate a key and the emission of a thus generated key back to the communicating unit.
  • the key-generating unit is implemented in hardware and executed in the form of an integrated circuit, thereby making it more difficult to tamper with.
  • This circuit may then be added to and used together with essentially any type of communicative unit.
  • the key-generating units in accordance with the invention may be used either for point-to-point communication or authentication, i.e. between two units, or between a central unit, a server, or several users, clients.
  • a central unit preferably comprises a plurality of different key-generating units, one for each client in communication with the central unit.
  • a key unit could comprise several different original values, in which case the command to the key-generating unit to generate a key also comprises information regarding which original value should be used. It is likewise possible for several units that communicate with the central unit to have identical key-generating units, enabling them to communicate with the same key-generating unit in the central unit.
  • the central unit preferably comprises a means for software implementation of the key generation unit whereas the clients have hardware implemented means.
  • the clients could be smart cards or mobile telephones, computers and the like.
  • the system in accordance with the invention may be used between a bank and its clients, between enterprises and their employees, between a company and its subsidiaries, and so on.
  • the system may be used to control access to home pages via Internet or the like, for example by connecting its smart card to a reader provided for that purpose, and in this manner it becomes possible also to control the access to electronic equipment that communicates wireless for example via Blue-tooth.
  • units that are not central units may comprise several original values, in the same key-generating device or in separate units, in order to communicate via several separate channels. In this manner the unit may be used for communication with several different central units.
  • a smart card may be used for communication with several different banks or other establishments.
  • a first step S 1 the units intended for future intercommunication are initiated, in which process they are provided with identical original values and preferably are also synchronised.
  • the system is now ready for use, and at a later time, which may occur after the lapse of an arbitrary period of time after the initiation, the units are interconnected via an insecure communication channel (step S 2 ), and at least one of the unit identifies itself to the other (step S 3 ).
  • step S 4 the other unit determines whether the identity given is known and whether it has a corresponding key-generating circuit, i.e. a key-generating circuit as defined above and with a corresponding original value. If this is the case, the process proceeds to step S 5 , otherwise the process is interrupted.
  • step S 8 The units then agree to execute encrypted transmission or authentication, whereby each one separately calculates keys in the respective key-generating unit (step S 8 ).
  • a synchronisation test (S 6 ) might have been made to investigate whether the counters in the respective key-generating units are synchronised. If this is the case, the process continues directly to step S 8 , otherwise a synchronisation step (S 7 ) is first executed to reset the inter-unit synchronisation. Step S 7 could, however, alternatively be omitted and the process of identifying that the units are no longer synchronised could instead be effected by reckoning that identical keys have not been used. In this case, the process thereafter executes the synchronisation step S 7 and then returns to step S 8 in order to again calculate keys in the respective units.
  • the calculated keys are then used to execute encrypted transmission or authentication. It should be understood, however, that encrypted transmission and authentication of course may be effected simultaneously and in the same process. Encrypting and authentication may be effected with the aid of essentially any encrypting algorithm that uses keys, as the known RFSM and RSA algorithms.
  • the invention may be used for authentication, i.e. verification that the unit with which one communicates is the one it claims to be, as well as for key-generation for encrypted transmission purposes.
  • the units that are used in connection with the present invention such as smart cards, telephones and the like, could however advantageously be equipped with means arranged to ensure that the unit user is the correct one, i.e. authentication between users and the communicating unit.
  • Such authentication may be effected with the aid of input of a code, identification of finger-prints and the like.
  • the system and the method in accordance with the invention provides a simple and inexpensive way of achieving a high degree of security in encrypted transmission and authentication, since the invention makes it possible to create the same key synchronously in two different places and without exchange of information, or possibly with exchange of information as to which key in the sequence is to be created, i.e. the counting value. Consequently, no keys need be exchanged to execute authentication or encrypted transmission between two units, such as between a server and a client, or vice versa. This makes it possible to use shorter keys as well, which provides for less expensive and more efficient transmission while at the same time security is maintained or even is increased in comparison with conventional systems. Thanks to the invention a large portion of the security means may to a large extent be hardware-integrated, which increases the security even more, since preferably in this case only the seed is exchangeable and normally only the generated keys are accessible from outside.
  • the method and the system do not depend on the encrypting or authentication method used but may be used in a simple and secure manner to generate keys, and consequently it may be used together with most known methods of this kind.
  • the key-generating unit preferably is implemented in hardware, which makes the key-generating process completely hidden to the user. It is, however, also possible to implement the key-generating unit in software in an ordinary computer.
  • the units in the system may be essentially any communicative electronic units.
  • the counters used to generate the counting values for the key-generating units could also be of any type, provided that they generate counting values that vary with time.

Abstract

A method and a system for encrypted transmission or authentication between at least two units via an insecure communication channel, comprising the steps of: (a) in an initiation procedure, producing a common original value to be used in the respective units; (b) synchronising a counting value in each unit; (c) generating a key on the basis of the original value and the counting value in each unit, independently of other units; and (d) using the thus generated key in a subsequent encrypted transmission or authentication operation.

Description

TECHNICAL FIELD
The present invention relates to a method and a system for secure encrypted transmission or authentication between at least two units via an insecure communication channel.
BACKGROUND
Normally, it is difficult to achieve secure encrypted transmission via insecure communication channels, such as public telephone lines, data networks, in radio-transmission operations, and so on. Conventional encrypting algorithms require that keys in the form of private or public keys be transmitted between the units. Such key transmission does, however, cause practical problems. The keys may be transmitted on separate secure channels, but this solution is inconvenient, expensive and time-consuming. Alternatively, the keys may be transmitted via the insecure channel on which the encrypted message is then to be transmitted. However, this procedure involves a security risk. Also when encrypting systems having so called open keys are used, such as the RSA system, the transmission of the key means that larger and more complex keys and encrypting algorithms are required in order to ensure that the encrypted transmission is sufficiently secure, which naturally involves increased inconvenience and costs.
Similar problems are encountered in order to provide secure verification of units, so called authentication, via insecure communication channels. Such authentication is based on transmission between the units of data that are based on a unique key. For example, the key may be used to encrypt a check sum based on a transmitted or received message. Also in this case one is confronted with the same problems as those found in other encrypted transmission in the case of transmission of keys between the units.
OBJECT OF THE INVENTION
Consequently, one object of the present invention is to provide a method and a system of encrypted transmission and authentication via an insecure communication channel that completely or at least partly solve the above stated problems found in the prior-art technology.
This object is achieved by means of a method and a system as defined in the appended claims.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will be described in more detail in the following with the aid of one embodiment and with reference to the appended claims, wherein:
FIG. 1 is a schematic view of a key-generating unit in accordance with one embodiment of the invention; and
FIG. 2 is a flow chart for performing encrypted transmission or authentication in accordance with one embodiment of the invention.
 DESCRIPTION OF PREFERRED EMBODIMENTS
The invention relates to a system for secure encrypted transmission/authentication between at least two units via an insecure communication channel. The communication channel could be any channel via which data may be transmitted, and more specifically, the channel could be stationary as well as wireless. Each such unit comprises a key-generating unit 1, as shown in FIG. 1. This kind of key-generating units comprise a memory 10, wherein identical original values U, so called seeds, have been stored, preferably in a dynamic and/inter-/exchangeable manner. The storage of original values preferably is effected in connection with the introductory initiation of the units, and advantageously it could be effected via a secure channel. Possibly, the original values need not, however, be transmitted physically but instead the users of the units concerned may themselves input an agreed-upon value. In addition, the original values may be exchanged, when needed, but alternatively the same original values are used for the duration of the entire life of the key-generating unit. In this case the original values need not be stored in dynamic memories, but instead permanent memories may be used.
In addition, the key-generating units comprise a counter to periodically change a counting value R, and a calculating unit adapted to generate, in each and every unit and independently of other units, a key based on the original value, and a counting value issued by the counter. Advantageously however, the counter and the calculating unit may be integrated in the same unit 11, which advantageously may be a micro-processor, such as a commercially available CPU. The counter may advantageously be controlled by an oscillator or a clock, which could likewise be integrated in unit 11. Preferably a real-time-based clock, which is integrated with the CPU 11, is used. In addition, the counter is increased stepwise by integers, whereby it becomes easier to keep the units in phase with one another (synchronised).
Provided that the same original values are stored in the memory 10 and that the counters are synchronised to deliver the same counting value, identical keys may be generated in several key-generating units, independently of one other. These keys may then be used for encrypting or authenticating purposes between the units.
Furthermore, the key-generating units preferably are adapted to sense whether they are synchronised or not, and in case they are not, to implement this synchronisation. Sensing may be performed by means of a particular synchronising test that is performed prior to the generation of keys. Alternatively, a need for synchronisation may, however, be identified when different keys are used, and only thereafter may synchronisation resetting be effected. Synchronisation may be effected for example by exchange of counting values between the units.
The calculating unit comprises a calculating algorithm F, which uses the original value and the counting value as input parameters, i.e. F=f(R,U). This calculating algorithm preferably is implemented in hardware in the calculating unit, or alternatively it is stored in a non-dynamic and unchangeable memory. The calculating algorithm preferably generates a 128-bit key, but keys of other lengths are of course also conceivable. Every time an order is given to the key generator to produce a new key therefore a new pseudo-random 128-bit word is generated, which is calculated on the basis of the “seed” and the counting value.
The key-generating unit 1 further comprises an interface part 12 serving to enable communication between the communicating unit and the key-generating unit. Preferably, this communication comprises emission of instructions to the key-generating unit to generate a key and the emission of a thus generated key back to the communicating unit.
Advantageously the key-generating unit is implemented in hardware and executed in the form of an integrated circuit, thereby making it more difficult to tamper with. This circuit may then be added to and used together with essentially any type of communicative unit. For example, it is possible to use the key-generating unit in accordance with the invention together with rechargeable cards, so called smart cards, in portable or stationary computers, in mobile telephones, electronic calendars and similar electronic equipment that is communicative.
However, it is likewise possible to implement the key-generating unit in software for example in a conventional computer, and to use existing memories and the like. This alternative is particularly advantageous for implementation in stationary units, and in particular units that are used as central units.
The key-generating units in accordance with the invention may be used either for point-to-point communication or authentication, i.e. between two units, or between a central unit, a server, or several users, clients. Such a central unit preferably comprises a plurality of different key-generating units, one for each client in communication with the central unit. Alternatively, a key unit could comprise several different original values, in which case the command to the key-generating unit to generate a key also comprises information regarding which original value should be used. It is likewise possible for several units that communicate with the central unit to have identical key-generating units, enabling them to communicate with the same key-generating unit in the central unit.
In the case of a central unit, adapted to communicate with several other units, the central unit preferably comprises a means for software implementation of the key generation unit whereas the clients have hardware implemented means. For example, the clients could be smart cards or mobile telephones, computers and the like. Thus, the system in accordance with the invention may be used between a bank and its clients, between enterprises and their employees, between a company and its subsidiaries, and so on. In addition, the system may be used to control access to home pages via Internet or the like, for example by connecting its smart card to a reader provided for that purpose, and in this manner it becomes possible also to control the access to electronic equipment that communicates wireless for example via Blue-tooth.
Also units that are not central units may comprise several original values, in the same key-generating device or in separate units, in order to communicate via several separate channels. In this manner the unit may be used for communication with several different central units. For example, a smart card may be used for communication with several different banks or other establishments.
In the following an encrypted transmission or authentication with the aid of the system of the invention will be described with reference to FIG. 2. In a first step S1, the units intended for future intercommunication are initiated, in which process they are provided with identical original values and preferably are also synchronised. The system is now ready for use, and at a later time, which may occur after the lapse of an arbitrary period of time after the initiation, the units are interconnected via an insecure communication channel (step S2), and at least one of the unit identifies itself to the other (step S3). In step S4, the other unit determines whether the identity given is known and whether it has a corresponding key-generating circuit, i.e. a key-generating circuit as defined above and with a corresponding original value. If this is the case, the process proceeds to step S5, otherwise the process is interrupted.
The units then agree to execute encrypted transmission or authentication, whereby each one separately calculates keys in the respective key-generating unit (step S8). Before this happens, a synchronisation test (S6) might have been made to investigate whether the counters in the respective key-generating units are synchronised. If this is the case, the process continues directly to step S8, otherwise a synchronisation step (S7) is first executed to reset the inter-unit synchronisation. Step S7 could, however, alternatively be omitted and the process of identifying that the units are no longer synchronised could instead be effected by reckoning that identical keys have not been used. In this case, the process thereafter executes the synchronisation step S7 and then returns to step S8 in order to again calculate keys in the respective units.
The calculated keys are then used to execute encrypted transmission or authentication. It should be understood, however, that encrypted transmission and authentication of course may be effected simultaneously and in the same process. Encrypting and authentication may be effected with the aid of essentially any encrypting algorithm that uses keys, as the known RFSM and RSA algorithms.
The invention may be used for authentication, i.e. verification that the unit with which one communicates is the one it claims to be, as well as for key-generation for encrypted transmission purposes. The units that are used in connection with the present invention, such as smart cards, telephones and the like, could however advantageously be equipped with means arranged to ensure that the unit user is the correct one, i.e. authentication between users and the communicating unit. Such authentication may be effected with the aid of input of a code, identification of finger-prints and the like.
The system and the method in accordance with the invention provides a simple and inexpensive way of achieving a high degree of security in encrypted transmission and authentication, since the invention makes it possible to create the same key synchronously in two different places and without exchange of information, or possibly with exchange of information as to which key in the sequence is to be created, i.e. the counting value. Consequently, no keys need be exchanged to execute authentication or encrypted transmission between two units, such as between a server and a client, or vice versa. This makes it possible to use shorter keys as well, which provides for less expensive and more efficient transmission while at the same time security is maintained or even is increased in comparison with conventional systems. Thanks to the invention a large portion of the security means may to a large extent be hardware-integrated, which increases the security even more, since preferably in this case only the seed is exchangeable and normally only the generated keys are accessible from outside.
Several varieties of the system and the method described above are possible. For example, the method and the system do not depend on the encrypting or authentication method used but may be used in a simple and secure manner to generate keys, and consequently it may be used together with most known methods of this kind. In addition, the key-generating unit preferably is implemented in hardware, which makes the key-generating process completely hidden to the user. It is, however, also possible to implement the key-generating unit in software in an ordinary computer. In addition, the units in the system may be essentially any communicative electronic units. The counters used to generate the counting values for the key-generating units could also be of any type, provided that they generate counting values that vary with time. It is likewise possible to omit counters in one or several units, and in this case the step of synchronising the counters is replaced by a step involving exchange of counting values between the units, i.e. to synchronise the counting values, before each key-generating operation. Such and other obvious varieties must be regarded to be within the scope of protection of the invention as the latter is defined in the appended claims.

Claims (24)

The invention claimed is:
1. A method for encrypted transmission or authentication between at least two key-generating units via an insecure communication channel, comprising the initiation steps of:
in an initiation procedure, obtaining a common original value to be used in the respective key-generating units; and
interconnecting the at least two key-generating units via the insecure communications channel,
wherein the method for each encrypted transmission or authentication between the at least two key-generating units via the insecure communication channel further comprises the session steps of,
changing autonomously, in a synchronised and periodical fashion, a common counting value in each key-generating unit,
generating a common key on the basis of the original value and the counting value in each key-generating unit, independently of other key-generating units, wherein the key generation in each key-generating unit takes place without use of any information received from other key-generating units, and
using the thus generated keys in a subsequent encrypted transmission or authentication operation, and
wherein the key-generating units are configured to detect when the key-generating units are not synchronised and to then restore synchronisation.
2. The method as claimed in claim 1, wherein the original value is saved in a dynamic and exchangeable fashion at least in one of the key-generating units.
3. The method as claimed in claim 1, wherein the counting value is generated in a counter in each key-generating unit, the synchronisation of the counting values involving synchronisation of the counters.
4. The method as claimed in claim 1, wherein the key-generating operation on the basis of the original value and the counting value is effected by means of a calculating algorithm stored in a non-dynamic and non-changeable fashion in at least one of the key-generating units.
5. The method as claimed in claim 1, wherein at least one of the key-generating units is a mobile unit, such as a smart card or a mobile telephone.
6. The method as claimed in claim 1, wherein one of the key-generating units is a central unit comprising a plurality of original values for secure encrypted transmission or authentication with relation to several different key-generating units having one original value each.
7. The method as claimed in claim 1, wherein changing autonomously, in a synchronised and periodical fashion, the common counting value in each key-generating unit includes changing the common counting value in each of the at least two key-generating units, respectively, so that the common counting values for the at least two key-generating units are the same.
8. The method as claimed in claim 2, wherein the counting value is generated in a counter in each unit, the synchronisation of the counting values involving synchronisation of the counters.
9. The method as claimed in claim 2, wherein the key-generating operation on the basis of the original value and the counting value is effected by a calculating algorithm stored in a non-dynamic and non-changeable fashion in at least one of the units.
10. The method as claimed in claim 2, wherein at least one of the units is a mobile unit, such as a smart card or a mobile telephone.
11. The method as claimed in claim 2, wherein one of the units is a central unit comprising a plurality of original values for secure encrypted transmission or authentication with relation to several different units having one original value each.
12. The method as claimed in claim 3, wherein following the initial synchronisation of the counters, the key-generating units execute supplementary synchronisation steps only when a lack of synchronization is detected.
13. A system for encrypted transmission/authentication between at least two units via an insecure communication channel, wherein each unit comprises:
a key-generating unit, the key-generating units comprising a memory, in which identical original values are stored, a counter configured to periodically and autonomously change a counting value, the counting value being common for the at least two units and, the change being synchronized between the at least two units: and
a calculating unit configured to generate in each unit and independently of other units, a key on the basis of the original value and a counting value issued from the counter, wherein the key generation in each unit takes place without use of any information received from other units, the keys being configured to be used for encrypted transmission or authentication between the units,
wherein the key-generating units are configured to detect when the key-generating units are not synchronised and to then restore synchronisation.
14. The system as claimed in claim 13, wherein the memory for storing of the original value in at least one of the units is a dynamic memory configured to store the original value in a dynamic and exchangeable fashion.
15. The system as claimed in claim 13, wherein the calculating unit of at least one of the units comprises a calculating algorithm, which is stored in a non-dynamic and non-changeable fashion, and which is hardware-implemented.
16. The system as claimed in claim 13, wherein at least one of the units is a mobile unit, such as a smart card or a mobile telephone.
17. The system as claimed in claim 13, wherein one of the units is a central unit comprising a plurality of original values for secure encrypted transmission or authentication involving several different units having one original value each.
18. The system as claimed in claim 13, wherein the calculating unit of at least one of the units comprises a calculating algorithm, which is stored in a non-dynamic and non-changeable fashion, and which is hardware-implemented.
19. The system as claimed in claim 13, wherein the counter is further configured to change the common counting value in each of the at least two units, respectively, so that the common counting values for the at least two units are the same.
20. The system as claimed in claim 14, wherein the calculating unit of at least one of the units comprises a calculating algorithm, which is stored in a non-dynamic and non-changeable fashion, and which is hardware-implemented.
21. A method for encrypted transmission or authentication between at least two key-generating units via an insecure communication channel, comprising the initiation steps of:
in an initiation procedure, obtaining a common original value to be used in the respective key-generating units; and
interconnecting the at least two key-generating units via the insecure communications channel,
wherein the method for each encrypted transmission or authentication between the at least two key-generating units via the insecure communication channel further comprises the session steps of
changing autonomously, in a synchronised and periodical fashion, a common counting value in each key-generating unit,
generating a common key on the basis of the original value and the counting value in each key-generating unit, independently of other key-generating units, wherein the key generation in each key-generating unit takes place without use of any information received from other key-generating units, and
using the thus generated keys in a subsequent encrypted transmission or authentication operation, and
wherein the key-generating operation on the basis of the original value and the counting value is effected by means of a calculating algorithm stored in a non-dynamic and non-changeable fashion in at least one of the key-generating units.
22. A method for encrypted transmission or authentication between at least two key-generating units via an insecure communication channel, comprising the initiation steps of:
in an initiation procedure, obtaining a common original value to be used in the respective key-generating units; and
interconnecting the at least two key-generating units via the insecure communications channel,
wherein the method for each encrypted transmission or authentication between the at least two key-generating units via the insecure communication channel further comprises the session steps of
changing autonomously, in a synchronised and periodical fashion, a common counting value in each key-generating unit,
generating a common key on the basis of the original value and the counting value in each key-generating unit, independently of other key-generating units, wherein the key generation in each key-generating unit takes place without use of any information received from other key-generating units, and
using the thus generated keys in a subsequent encrypted transmission or authentication operation, and
wherein the original value is saved in a dynamic and exchangeable fashion at least in one of the key-generating units, and
the key-generating operation on the basis of the original value and the counting value is effected by a calculating algorithm stored in a non-dynamic and non-changeable fashion in at least one of the key-generating units.
23. A method for encrypted transmission or authentication between at least two key-generating units via an insecure communication channel, comprising the initiation steps of:
in an initiation procedure, obtaining a common original value to be used in the respective key-generating units; and
interconnecting the at least two key-generating units via the insecure communications channel,
wherein the method for each encrypted transmission or authentication between the at least two key-generating units via the insecure communication channel further comprises the session steps of
changing autonomously, in a synchronised and periodical fashion, a common counting value in each key-generating unit,
generating a common key on the basis of the original value and the counting value in each key-generating unit, independently of other units, wherein the key generation in each key-generating unit takes place without use of any information received from other key-generating units, and
using the thus generated keys in a subsequent encrypted transmission or authentication operation, and
wherein changing autonomously, in a synchronised and periodical fashion, the common counting value in each key-generating unit includes changing the common counting value in each of the at least two key-generating units, respectively, so that the common counting values for the at least two key-generating units are the same.
24. A system for encrypted transmission/authentication between at least two units via an insecure communication channel, wherein each unit comprises:
a key-generating unit, the key-generating units comprising a memory, in which identical original values are stored, a counter configured to periodically and autonomously change a counting value, the counting value being common for the at least two units and, the change being synchronized between the at least two units, and
a calculating unit configured to generate in each unit and independently of other units, a key on the basis of the original value and a counting value issued from the counter, wherein the key generation in each unit takes place without use of any information received from other units, the keys being configured to be used for encrypted transmission or authentication between the units,
wherein the counter is further configured to change the common counting value in each of the at least two units, respectively, so that the common counting values for the at least two units are the same.
US10/239,581 2000-03-24 2001-03-26 Method and system for encryption and authentication Expired - Fee Related US7864954B2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
SE0001044A SE517460C2 (en) 2000-03-24 2000-03-24 Method and system for encryption and authentication
SE0001044-7 2000-03-24
SE0001044 2000-03-24
PCT/SE2001/000648 WO2001074007A1 (en) 2000-03-24 2001-03-26 Method and system for encryption and authentication

Publications (2)

Publication Number Publication Date
US20030156721A1 US20030156721A1 (en) 2003-08-21
US7864954B2 true US7864954B2 (en) 2011-01-04

Family

ID=20278997

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/239,581 Expired - Fee Related US7864954B2 (en) 2000-03-24 2001-03-26 Method and system for encryption and authentication

Country Status (9)

Country Link
US (1) US7864954B2 (en)
EP (1) EP1275218A1 (en)
JP (1) JP2003529288A (en)
CN (1) CN1211978C (en)
AU (2) AU2001242982B2 (en)
CA (1) CA2404227A1 (en)
SE (1) SE517460C2 (en)
TW (1) TW556425B (en)
WO (1) WO2001074007A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10841091B2 (en) 2018-10-02 2020-11-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10992477B2 (en) 2018-10-02 2021-04-27 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ITRM20020489A1 (en) * 2002-09-30 2004-04-01 Daniele Misrachi DATA TRANSFER METHOD.
KR100493885B1 (en) * 2003-01-20 2005-06-10 삼성전자주식회사 Electronic Registration and Verification System of Smart Card Certificate For Users in A Different Domain in a Public Key Infrastructure and Method Thereof
JP2006522507A (en) * 2003-04-01 2006-09-28 エントロピック・テクノロジーズ・プロプライエタリー・リミテッド Secure communication system and secure communication method
JP2007506392A (en) * 2003-09-22 2007-03-15 イムプシス ディジタル セキュリティ アクチボラゲット Data communication security mechanisms and methods
US7647498B2 (en) 2004-04-30 2010-01-12 Research In Motion Limited Device authentication
WO2006112307A1 (en) * 2005-04-15 2006-10-26 Matsushita Electric Industrial Co., Ltd. Concealment control method, and radio communication control device
JP4919690B2 (en) * 2006-04-19 2012-04-18 シーイエス エレクトロニカ インダストリア エ コメルスィオ リミタダ Magnetic card reading system
US8259935B2 (en) * 2006-05-12 2012-09-04 John Thomas Riedl Secure communication method and system
US9225518B2 (en) * 2006-12-08 2015-12-29 Alcatel Lucent Method of providing fresh keys for message authentication
ES2560873T3 (en) 2007-12-27 2016-02-23 Nec Corporation Radio communication system, radio communication device and encryption method
US20100098247A1 (en) * 2008-10-20 2010-04-22 Nokia Corporation Method, Apparatus And Computer Program Product For Generating An Encryption Key And An Authentication Code Key Utilizing A Generic Key Counter
EP2219374A1 (en) * 2009-02-13 2010-08-18 Irdeto Access B.V. Securely providing a control word from a smartcard to a conditional access module
EP2224762B1 (en) * 2009-02-26 2019-04-10 BlackBerry Limited System and method for establishing a secure communication link
US8379860B2 (en) 2009-02-26 2013-02-19 Ascendent Telecommunications, Inc. System and method for establishing a secure communication link
US10003581B2 (en) * 2014-12-09 2018-06-19 Avago Technologies General Ip (Singapore) Pte. Ltd. Secure connection establishment
JP6380686B2 (en) * 2015-10-06 2018-08-29 富士通株式会社 Mounting unit, mounting unit verification method, and mounting unit verification program
TWI694707B (en) * 2016-10-03 2020-05-21 日商日本電氣股份有限公司 Communication device, communication method, communication system and recording medium
WO2018096559A1 (en) * 2016-11-22 2018-05-31 Ezetap Mobile Solutions Pvt. Ltd. System and method for translation and authentication of secure pin and sensitive data

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4799061A (en) * 1985-11-18 1989-01-17 International Business Machines Corporation Secure component authentication system
US4876716A (en) * 1986-08-22 1989-10-24 Nec Corporation Key distribution method
US5136642A (en) * 1990-06-01 1992-08-04 Kabushiki Kaisha Toshiba Cryptographic communication method and cryptographic communication device
US5216715A (en) * 1989-06-16 1993-06-01 Siemens Aktiengesellschaft Key distribution in public communication networks taking account of security gradations
US5237611A (en) * 1992-07-23 1993-08-17 Crest Industries, Inc. Encryption/decryption apparatus with non-accessible table of keys
US5251258A (en) * 1991-03-05 1993-10-05 Nec Corporation Key distribution system for distributing a cipher key between two subsystems by one-way communication
US5319712A (en) * 1993-08-26 1994-06-07 Motorola, Inc. Method and apparatus for providing cryptographic protection of a data stream in a communication system
US5455862A (en) 1993-12-02 1995-10-03 Crest Industries, Inc. Apparatus and method for encrypting communications without exchanging an encryption key
US5467398A (en) * 1994-07-05 1995-11-14 Motorola, Inc. Method of messaging in a communication system
WO1998003026A1 (en) 1996-07-11 1998-01-22 Gemplus S.C.A. Enhanced short message and method for synchronising and ensuring security of enhanced short messages exchanged in a cellular radio communication system
US5790677A (en) * 1995-06-29 1998-08-04 Microsoft Corporation System and method for secure electronic commerce transactions
US5960086A (en) * 1995-11-02 1999-09-28 Tri-Strata Security, Inc. Unified end-to-end security methods and systems for operating on insecure networks
US6097813A (en) * 1996-05-15 2000-08-01 Certicom Corp. Digital signature protocol with reduced bandwidth
US6105008A (en) * 1997-10-16 2000-08-15 Visa International Service Association Internet loading system using smart card
US20030196099A1 (en) * 1998-10-26 2003-10-16 Lampson Butler W. System and method for secure storage of data using public and private keys
US20050235152A1 (en) * 2004-03-16 2005-10-20 Kabushiki Kaisha Toshiba Encryption key sharing scheme for automatically updating shared key
US6981154B2 (en) * 1998-11-09 2005-12-27 First Data Corporation Account authority digital signature (AADS) accounts
US20060120531A1 (en) * 2004-09-08 2006-06-08 Qualcomm Incorporated Bootstrapping authentication using distinguished random challenges
US7657488B2 (en) * 1997-07-15 2010-02-02 Silverbrook Research Pty Ltd Validating apparatus having encryption integrated circuits
US7752441B2 (en) * 2006-02-13 2010-07-06 Alcatel-Lucent Usa Inc. Method of cryptographic synchronization

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS63187830A (en) * 1987-01-30 1988-08-03 Hitachi Ltd Open code book cryptographic system
JPS63232539A (en) * 1987-03-20 1988-09-28 Hitachi Ltd Code book ciphering system
NZ237080A (en) * 1990-03-07 1993-05-26 Ericsson Telefon Ab L M Continuous synchronisation for duplex encrypted digital cellular telephony
JPH07303104A (en) * 1994-05-06 1995-11-14 Nippon Telegr & Teleph Corp <Ntt> Storage type communication system with ciphering function
JP3445490B2 (en) * 1998-03-25 2003-09-08 株式会社日立製作所 Mobile communication method and mobile communication system

Patent Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4799061A (en) * 1985-11-18 1989-01-17 International Business Machines Corporation Secure component authentication system
US4876716A (en) * 1986-08-22 1989-10-24 Nec Corporation Key distribution method
US5216715A (en) * 1989-06-16 1993-06-01 Siemens Aktiengesellschaft Key distribution in public communication networks taking account of security gradations
US5136642A (en) * 1990-06-01 1992-08-04 Kabushiki Kaisha Toshiba Cryptographic communication method and cryptographic communication device
US5251258A (en) * 1991-03-05 1993-10-05 Nec Corporation Key distribution system for distributing a cipher key between two subsystems by one-way communication
US5237611A (en) * 1992-07-23 1993-08-17 Crest Industries, Inc. Encryption/decryption apparatus with non-accessible table of keys
US5319712A (en) * 1993-08-26 1994-06-07 Motorola, Inc. Method and apparatus for providing cryptographic protection of a data stream in a communication system
US5455862A (en) 1993-12-02 1995-10-03 Crest Industries, Inc. Apparatus and method for encrypting communications without exchanging an encryption key
US5467398A (en) * 1994-07-05 1995-11-14 Motorola, Inc. Method of messaging in a communication system
US5790677A (en) * 1995-06-29 1998-08-04 Microsoft Corporation System and method for secure electronic commerce transactions
US5960086A (en) * 1995-11-02 1999-09-28 Tri-Strata Security, Inc. Unified end-to-end security methods and systems for operating on insecure networks
US6097813A (en) * 1996-05-15 2000-08-01 Certicom Corp. Digital signature protocol with reduced bandwidth
WO1998003026A1 (en) 1996-07-11 1998-01-22 Gemplus S.C.A. Enhanced short message and method for synchronising and ensuring security of enhanced short messages exchanged in a cellular radio communication system
US7657488B2 (en) * 1997-07-15 2010-02-02 Silverbrook Research Pty Ltd Validating apparatus having encryption integrated circuits
US6105008A (en) * 1997-10-16 2000-08-15 Visa International Service Association Internet loading system using smart card
US20030196099A1 (en) * 1998-10-26 2003-10-16 Lampson Butler W. System and method for secure storage of data using public and private keys
US6981154B2 (en) * 1998-11-09 2005-12-27 First Data Corporation Account authority digital signature (AADS) accounts
US20050235152A1 (en) * 2004-03-16 2005-10-20 Kabushiki Kaisha Toshiba Encryption key sharing scheme for automatically updating shared key
US20060120531A1 (en) * 2004-09-08 2006-06-08 Qualcomm Incorporated Bootstrapping authentication using distinguished random challenges
US7752441B2 (en) * 2006-02-13 2010-07-06 Alcatel-Lucent Usa Inc. Method of cryptographic synchronization

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Bluetooth Specification; Nov. 29, 1999.
Digital cellular telecommunications system (Phase 2+); Security related network functions (GSM 03.20 version 6.1.0 Release 1997) 71 pages.
Patent Abstract of Japan, 63-187830, Aug. 3, 1988, Shigeno Takeshi.
Patent Abstract of Japan, 63-232539, Sep. 28, 1988, Shigeno Takeshi.

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10841091B2 (en) 2018-10-02 2020-11-17 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US10992477B2 (en) 2018-10-02 2021-04-27 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11233645B2 (en) 2018-10-02 2022-01-25 Capital One Services, Llc Systems and methods of key selection for cryptographic authentication of contactless cards
US11804964B2 (en) 2018-10-02 2023-10-31 Capital One Services, Llc Systems and methods for cryptographic authentication of contactless cards
US11843698B2 (en) 2018-10-02 2023-12-12 Capital One Services, Llc Systems and methods of key selection for cryptographic authentication of contactless cards

Also Published As

Publication number Publication date
US20030156721A1 (en) 2003-08-21
EP1275218A1 (en) 2003-01-15
SE0001044D0 (en) 2000-03-24
SE517460C2 (en) 2002-06-11
CA2404227A1 (en) 2001-10-04
TW556425B (en) 2003-10-01
CN1211978C (en) 2005-07-20
SE0001044L (en) 2001-10-08
CN1426646A (en) 2003-06-25
AU2001242982B2 (en) 2005-10-27
JP2003529288A (en) 2003-09-30
WO2001074007A1 (en) 2001-10-04
AU4298201A (en) 2001-10-08

Similar Documents

Publication Publication Date Title
US7864954B2 (en) Method and system for encryption and authentication
US20230231711A1 (en) Blockchain-implemented method and system
AU2001242982A1 (en) Method and system for encryption and authentication
US20050154896A1 (en) Data communication security arrangement and method
US6985583B1 (en) System and method for authentication seed distribution
DK2158717T3 (en) REMOTE AUTHENTICATION AND TRANSACTION SIGNATURE
KR100564677B1 (en) Administration and utilization of secret fresh random numbers in a networked environment
US6904526B1 (en) System and method of authenticating individuals
US7571489B2 (en) One time passcode system
JP4620248B2 (en) Method for authenticating a smart card in a message exchange network
US9467293B1 (en) Generating authentication codes associated with devices
CN107528688A (en) A kind of keeping of block chain key and restoration methods, device based on encryption commission technology
CN100518411C (en) Dynamic cipher system and method based on mobile communication terminal
Nicolosi et al. Proactive Two-Party Signatures for User Authentication.
US20070255951A1 (en) Token Based Multi-protocol Authentication System and Methods
CN109150519A (en) Anti- quantum calculation cloud storage method of controlling security and system based on public keys pond
CN106664202A (en) Methods, systems and computer program product for providing encryption on a plurality of devices
JPH10171909A (en) User aucentication device and its method
US11375369B2 (en) Message authentication method and communication method of communication network system, and communication network system
CN111243133A (en) Bluetooth door lock system based on dynamic password generation and matching and unlocking method
CN101944216A (en) Two-factor online transaction safety authentication method and system
CN110138548A (en) Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system
CN109347923A (en) Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond
JP2006522507A (en) Secure communication system and secure communication method
CN110098925A (en) Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system

Legal Events

Date Code Title Description
AS Assignment

Owner name: IMPSYS AB, SWEDEN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:WIDMAN, MATHIAS;REEL/FRAME:013679/0087

Effective date: 20021008

REMI Maintenance fee reminder mailed
LAPS Lapse for failure to pay maintenance fees
STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20150104